{"id":49088143,"url":"https://github.com/PwnKit-Labs/foxguard","last_synced_at":"2026-05-06T23:00:51.507Z","repository":{"id":348084273,"uuid":"1196232857","full_name":"PwnKit-Labs/foxguard","owner":"PwnKit-Labs","description":"A security scanner as fast as a linter, written in Rust. Live in the terminal? It also comes with a TUI triage for secrets, post-quantum audits, diff-scans and more 🦊","archived":false,"fork":false,"pushed_at":"2026-05-03T20:26:43.000Z","size":7694,"stargazers_count":235,"open_issues_count":5,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-03T22:23:18.363Z","etag":null,"topics":["cli","code-security","linter","opengrep","pre-commit","rust","sarif","sast","security","semgrep","static-analysis","tree-sitter","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://foxguard.dev","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PwnKit-Labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T13:55:48.000Z","updated_at":"2026-05-02T20:05:21.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/PwnKit-Labs/foxguard","commit_stats":null,"previous_names":["peaktwilight/foxguard","pwnkit-labs/foxguard"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/PwnKit-Labs/foxguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PwnKit-Labs%2Ffoxguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PwnKit-Labs%2Ffoxguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PwnKit-Labs%2Ffoxguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PwnKit-Labs%2Ffoxguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PwnKit-Labs","download_url":"https://codeload.github.com/PwnKit-Labs/foxguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PwnKit-Labs%2Ffoxguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32715436,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-06T19:35:05.142Z","status":"ssl_error","status_checked_at":"2026-05-06T19:35:03.996Z","response_time":117,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","code-security","linter","opengrep","pre-commit","rust","sarif","sast","security","semgrep","static-analysis","tree-sitter","vulnerability-scanner"],"created_at":"2026-04-20T17:00:36.919Z","updated_at":"2026-05-06T23:00:51.497Z","avatar_url":"https://github.com/PwnKit-Labs.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.svg\" width=\"80\" alt=\"foxguard logo\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003efoxguard\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eFast local security scanning in a single Rust binary.\u003c/strong\u003e\n  \u003cbr/\u003e\n  scan \u0026middot; diff \u0026middot; secrets \u0026middot; post-quantum crypto audit \u0026middot; interactive TUI triage\n  \u003cbr/\u003e\n  170+ built-in rules across 10 languages \u0026middot; cross-file taint tracking \u0026middot; Semgrep-compatible YAML bridge\n  \u003cbr/\u003e\u003cbr/\u003e\n  \u003ca href=\"https://foxguard.dev\"\u003efoxguard.dev\u003c/a\u003e \u0026middot; \u003ca href=\"https://www.npmjs.com/package/foxguard\"\u003enpm\u003c/a\u003e \u0026middot; \u003ca href=\"https://crates.io/crates/foxguard\"\u003ecrates.io\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/PwnKit-Labs/foxguard/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/PwnKit-Labs/foxguard/actions/workflows/ci.yml/badge.svg\" alt=\"CI\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/PwnKit-Labs/foxguard\"\u003e\u003cimg src=\"https://img.shields.io/badge/foxguard-clean-3fb950?logo=data:image/svg%2bxml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA2NCA2NCIgZmlsbD0ibm9uZSI+PHBhdGggZD0iTTggOEwyMCAyOEwzMiAyMEw0NCAyOEw1NiA4TDUyIDMyTDQ0IDQ0TDM2IDUySDI4TDIwIDQ0TDEyIDMyTDggOFoiIGZpbGw9IiNGNTlFMEIiIGZpbGwtb3BhY2l0eT0iMC4zIiBzdHJva2U9IiNGNTlFMEIiIHN0cm9rZS13aWR0aD0iMyIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIvPjxjaXJjbGUgY3g9IjI0IiBjeT0iMzIiIHI9IjIuNSIgZmlsbD0iI0Y1OUUwQiIvPjxjaXJjbGUgY3g9IjQwIiBjeT0iMzIiIHI9IjIuNSIgZmlsbD0iI0Y1OUUwQiIvPjwvc3ZnPg==\" alt=\"foxguard: clean\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://crates.io/crates/foxguard\"\u003e\u003cimg src=\"https://img.shields.io/crates/v/foxguard?color=d97706\u0026label=crates.io\" alt=\"crates.io\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/foxguard\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/foxguard?color=d97706\u0026label=npm\" alt=\"npm\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/PwnKit-Labs/foxguard/stargazers\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/PwnKit-Labs/foxguard?style=flat\u0026color=e3b341\u0026logo=github\" alt=\"GitHub stars\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/demo.gif\" alt=\"foxguard scan demo\" width=\"640\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/tui-findings.png\" alt=\"foxguard TUI findings list with source/sink dataflow\" width=\"640\" /\u003e\n  \u003cbr/\u003e\u003cem\u003e\u003ccode\u003efoxguard tui .\u003c/code\u003e — interactive triage with scan, diff, secrets, and PQ modes. \u003ca href=\"https://foxguard.dev/blog/foxguard-0-7-0-tui-launch\"\u003eLaunch post\u003c/a\u003e.\u003c/em\u003e\n\u003c/p\u003e\n\nfoxguard is a security scanner you can run on every save. A single Rust binary with 170+ built-in rules across 10 languages, cross-file taint tracking, Semgrep-compatible YAML loading, and four top-level modes — general scan, diff-against-branch, secrets, and post-quantum crypto audit — all reachable from the same CLI or interactive TUI.\n\nIt is fast enough for pre-commit hooks and the `--changed` path runs in milliseconds on a real repo. Output formats: terminal, JSON, SARIF (for GitHub Code Scanning), and CycloneDX 1.6 CBOM.\n\n## Quick start\n\n```sh\nnpx foxguard .                        # scan the repo\nnpx foxguard pqc .                    # post-quantum crypto audit\nnpx foxguard --format cbom .          # CycloneDX 1.6 CBOM for compliance\nnpx foxguard tui .                    # interactive triage (scan, diff, secrets, pqc)\n```\n\nOther common flags:\n\n```sh\nnpx foxguard --changed .              # only modified files\nnpx foxguard diff main .              # new findings vs target branch\nnpx foxguard --explain .              # source-to-sink dataflow traces\nnpx foxguard --github-pr 42 .         # post as PR review comments\nnpx foxguard secrets .                # leaked credentials and private keys\nnpx foxguard init                     # install local pre-commit hook\n```\n\n## The four modes\n\n| Mode | Command | What it does |\n|------|---------|--------------|\n| **Scan** | `foxguard .` | General security scan. 170+ built-in rules across JavaScript/TypeScript, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin. Framework-aware checks for Express, Next.js, Django, Flask, FastAPI, Rails, Spring, Laravel, Gin, .NET, and iOS. Intraprocedural taint flow with cross-file summaries for Python, JS, Go, Kotlin. |\n| **Diff** | `foxguard diff main .` | Only findings that are new since a target branch. Pairs with `--changed` for staged/unstaged files only. |\n| **Secrets** | `foxguard secrets .` | AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys. Redacted output, baseline support. |\n| **PQC** | `foxguard pqc .` | Post-quantum crypto audit. PQ-vulnerable-crypto rules for 5 languages plus TLS/config files. Each finding annotated with its CNSA 2.0 migration deadline. FN-DSA (FIPS 206) and HQC awareness. |\n\nAll four are reachable from `foxguard tui .` — interactive triage with review, baseline, ignore, severity overrides, confidence filter, and a CNSA 2.0 compliance panel.\n\n## Also in the box\n\n| Area | What you get |\n|------|--------------|\n| **Outputs** | Terminal, JSON, SARIF (GitHub Code Scanning), CycloneDX 1.6 CBOM (`--format cbom`). Each CBOM component links back to a source location and severity. |\n| **Semgrep compatibility** | Loads a Semgrep/OpenGrep YAML subset via `--rules`. Parity-tested in CI against the real `semgrep` CLI. See [`COMPATIBILITY.md`](./COMPATIBILITY.md). |\n| **CI integration** | Native GitHub Action (below), SARIF upload, `--github-pr` for PR review comments, exit code on findings. |\n| **Config** | `.foxguard.yml` for per-rule enable/disable, severity overrides, entropy and taint-hop thresholds, per-rule options. |\n\n## Post-quantum crypto audit\n\nNSA's CNSA 2.0 suite ([CSI, Sept 2022; FAQ v2.1, Dec 2024](https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF)) mandates exclusive use of ML-KEM and ML-DSA by specific deadlines. Software and firmware signing are the earliest class — exclusive use by 2030 — with traditional networking, operating systems, and web browsers trailing through 2033. Every finding foxguard produces for a PQ-vulnerable algorithm carries the matching deadline in the output.\n\n```sh\nfoxguard pqc .\n```\n\n```\nsrc/tls/client.go\n  42:14  HIGH      go/pq-vulnerable-crypto (CWE-327)\n         ECDH P-256 is not post-quantum safe. CNSA 2.0 mandates ML-KEM-1024\n         for NSS; ML-KEM-768 is the NIST default for commercial use.\n         CNSA 2.0 deadline: traditional networking equipment, 2030.\n\nWARNING 1 PQ finding in 18 files (0.04s): 1 high, 0 medium, 0 low\nCNSA 2.0 migration: at-risk (1 finding with an NSA transition deadline)\n```\n\nAs far as we can tell, foxguard is the first OSS source-code scanner that annotates each PQ finding with its CNSA 2.0 migration deadline. Remediation guidance surfaces ML-KEM-1024 / ML-DSA-87 for NSS workloads and ML-KEM-768 / ML-DSA-65 for commercial use, per the CNSA 2.0 algorithm table.\n\n**CBOM export.** `foxguard --format cbom .` produces a CycloneDX 1.6 cryptographic bill of materials. Each component (algorithm, key, protocol) is linked back to the source location that emitted it and the severity of any finding on that site. IBM's [CBOMkit](https://github.com/IBM/cbomkit), [sonar-cryptography](https://github.com/IBM/sonar-cryptography), and [cdxgen](https://github.com/CycloneDX/cdxgen) all ship CBOM output; foxguard's contribution is that the scan and the inventory are one artifact, so `crypto-agility` scoring and CNSA 2.0 annotations travel with the BOM.\n\n**Rule coverage.** PQ-vulnerable-crypto rules ship for Python, JavaScript/TypeScript, Go, Java, and Rust; TLS configuration files (OpenSSL, nginx, Apache) are also scanned for non-PQ cipher suites.\n\n## Install\n\n```sh\nnpx foxguard .                                           # no install needed\ncurl -fsSL https://foxguard.dev/install.sh | sh          # prebuilt binary (macOS/Linux)\ncargo install foxguard                                   # crates.io\n```\n\n**Editors and agents:**\n\n- [VS Code extension](https://marketplace.visualstudio.com/items?itemName=peaktwilight.foxguard) scans on save and shows findings inline.\n- [Claude Code plugin](./plugins/claude-code) auto-scans files after Claude writes or edits them, adds `/foxguard:*` scan/triage/PQ/secrets skills, and injects secure-coding defaults into agent sessions.\n\n```sh\nclaude --plugin-dir ./plugins/claude-code\n```\n\nRun `/foxguard:setup` inside Claude Code to verify the scanner is available. See [Claude Code integration](docs/claude-code-integration.md) for local plugin loading, hook behavior, and marketplace status.\n\n## CI integration\n\n```yaml\nname: Security\non: [push, pull_request]\njobs:\n  foxguard:\n    runs-on: ubuntu-latest\n    permissions:\n      security-events: write\n    steps:\n      - uses: actions/checkout@v4\n      - uses: PwnKit-Labs/foxguard/action@v0.7.1\n        with:\n          path: .\n          severity: medium\n          fail-on-findings: \"true\"\n          upload-sarif: \"true\"\n```\n\nFindings land in **Security → Code Scanning**. On any other CI: `npx foxguard@latest --format sarif . \u003e out.sarif`. For Claude Code and other agent/editor hooks, see [docs/claude-code-integration.md](docs/claude-code-integration.md).\n\n**Pre-commit:**\n\n```yaml\nrepos:\n  - repo: https://github.com/PwnKit-Labs/foxguard\n    rev: v0.7.1\n    hooks:\n      - id: foxguard\n```\n\n## Benchmarks\n\nReproducible via `./benchmarks/run.sh`. Numbers below are from a local run on an Apple Silicon laptop with `foxguard 0.6.2`, `semgrep 1.156.0`, `tokei 14.0.0`. LoC is counted by tokei, scoped to the target language only (no vendored HTML/JSON).\n\n| Repo | Files | LoC | foxguard | Semgrep | Speedup |\n|------|-------|-----|----------|---------|---------|\n| express (framework) | 141 | 15,804 JS | **0.276s** | 6.09s | **22x** |\n| flask (framework) | 83 | 14,029 Py | **0.333s** | 6.51s | **20x** |\n| gin (framework) | 99 | 17,669 Go | **0.499s** | 4.95s | **10x** |\n| **sentry (production)** | **8,539** | **1,291,606 Py** | **35.4s** | 194.0s | **5x** |\n\nSentry is the stress target at ~1.3M Python LoC: foxguard scans the whole tree in ~35 seconds; Semgrep with `--config auto` takes ~3m14s. Run on one machine — reproduce locally with `./benchmarks/run.sh` (add `BENCH_SKIP_LARGE=1` to skip sentry). See [`benchmarks/README.md`](./benchmarks/README.md) for the reproduction recipe.\n\n## Rules\n\n170+ built-in rules across 10 languages, covering SQL injection, XSS, SSRF, command injection, hardcoded secrets, weak crypto, unsafe deserialization, log injection, PQ-vulnerable crypto, crypto-agility, and framework-specific checks. Full per-rule coverage, precision tiers, and false-positive methodology live in [docs/precision.md](docs/precision.md) and on the [rules page at foxguard.dev](https://foxguard.dev/rules).\n\n## Configuration\n\nfoxguard auto-discovers `.foxguard.yml` from the scan path upward.\n\n```yaml\nscan:\n  baseline: .foxguard/baseline.json\n  rules: ./semgrep-rules\n  enable_rules: [py/no-sql-injection, py/no-xss]   # optional allowlist\n  disable_rules: [py/no-eval]                      # optional denylist\n  severity_overrides:\n    py/no-hardcoded-secret: medium\n\nsecrets:\n  baseline: .foxguard/secrets-baseline.json\n  exclude_paths: [fixtures, testdata]\n```\n\nInline suppressions work with `// foxguard: ignore[rule-id]` or `# foxguard: ignore` on the target line. Full configuration reference, rule options, and threshold tuning are documented at [foxguard.dev/docs](https://foxguard.dev/docs).\n\n## What it is not\n\nfoxguard is not a full Semgrep or OpenGrep drop-in replacement. The intended model: foxguard built-ins for fast local feedback, a Semgrep/OpenGrep-compatible YAML subset as an adoption bridge, and Semgrep/OpenGrep themselves when you need the broadest external rule ecosystem. That boundary keeps local scans fast and compatibility claims testable.\n\n## Contributing\n\nAdding a rule is one struct implementing a trait. See [`CONTRIBUTING.md`](./CONTRIBUTING.md).\n\n## Part of PwnKit Labs\n\n**Open-source adversarial security for the agentic AI era.** foxguard is one piece of the stack:\n\n- **[pwnkit](https://github.com/PwnKit-Labs/pwnkit)** — AI agent pentester (detect)\n- **[foxguard](https://github.com/PwnKit-Labs/foxguard)** — Rust security scanner (prevent)\n- **[opensoar](https://github.com/opensoar-hq/opensoar-core)** — Python-native SOAR platform (respond)\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPwnKit-Labs%2Ffoxguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPwnKit-Labs%2Ffoxguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPwnKit-Labs%2Ffoxguard/lists"}